General Computer Questions
What happens when you 'delete' a file?
Is it possible to determine when files were deleted?
What's the difference between formatting, defragmenting and wiping?
Will encryption protect my data?
Can password or encryption protection be cracked?
Electronic Discovery Questions
What is "Electronic Evidence"?
What is "Electronic Discovery"?
Why is electronic discovery important?
How is Electronic Discovery impacting the legal profession?
Is there any advantage to having my computer data processed electronically, rather than
providing it on paper for evidence purposes?
What benefits does electronic discovery provide for law firms?
What benefits does electronic discovery provide for corporate counsel?
What is "Spoliation"?
What is metadata and why is it important?
What happens when you 'delete' a file?
Remember going to the library and wanting to find a particular book? You would go to the card catalog and look the
book up. The card would tell you which section and on what shelf the book was located.
When you save a file the computer stores information about the files location similar to the way information about
books is stored in a card catalog. When you want to look at a file, the computer uses that information to find where
the file is stored so it can display the information in the file.
Now go back to the library, let say you remove a card from the card catalog and throw it away
("deleted it"); throwing the card away does not remove the book from the shelf. The same holds true when you delete a
file. The computer throws away the "card" or in real terms deletes the information about where the file is located,
but just like the book, the file is still there.
So how does the file get removed from the computer? By using the card catalog example again, and now that the card has been
removed from the card catalog, the librarian can look through the card catalog to see if there are any open spaces
on the shelf to put new books. The librarian creates a new card for the new book, places it in the card catalog, and
goes to place the book on the shelf. If there is a book in the space where the card catalog indicated there was not one,
the librarian will then remove the old book and place the new book in its place.
The computer does the same thing with a new file. It looks to see where the empty spaces are to put the new file.
But instead of removing the old file it just writes over it.
Then the old file is considered deleted. The only difference here is that traces of the old file may still be present.
Return to Top of Page
Sometimes it is possible (depending on the operating system) to determine when a file was deleted even if it is removed
from the recycle bin.
Return to Top of Page
Formatting, defragmenting, and wiping are three common processes used by people attempting to destroy computer records.
Formatting a drive is a quick and easy task that eliminates the document indexes and file/folder pointers on a
computer hard drive. This would equate to going into a library and throwing out the entire card catalog. In most
cases, the formatting does not harm the data on the hard drive. The contents of the documents, files, and folders
still physically exist on the hard drive and are fully recoverable by a computer forensic expert.
Defragmenting is easily thought of as a reorganization of the computer's filing cabinet. To make the computer run more
efficiently, all of the files are condensed to the smallest space possible, reorganized, and placed at the front of
the drive. Defragmenting a computer will not harm the active data (the data that a user can normally access on their
own) but may render recoverable deleted data virtually unrecoverable.
However, depending on the size of the drive, the amount of data, and order of operations, in certain circumstances deleted
files might still be recoverable even after defragmentation.
Wiping involves the use of a software program to intentionally overwrite data with a specific or randomly generated
pattern of "1s" and "0s". If run properly, a wiping utility will make the data unrecoverable to even a computer forensic
expert. Depending on the software program that was run, computer forensic experts might be able to tell the date, time, and
specific program used to conduct the wiping.
Return to Top of Page
The answer depends on the sophistication of the encryption technique and the power of the computer attempting to
break the encryption. The short answer, probably yes.
A piece of data is translated into a form that is meaningless to an unauthorized person. Without the proper key
(a specific unique series of characters) and the specific cryptographic algorithm used to encrypt and decrypt, the
content of the encrypted data may be difficult or even impossible to derive.
Poorly encrypted data can be retrieved and scrutinized but most proven crypto-systems provide a degree of protection
that cannot be overcome by normal means. Retrieving encrypted data relies on the cooperation of the people involved.
If people do not cooperative and refuse to provide their key, there may be no way to gain access to a plain text version
of what is protected in this way.
Return to Top of Page
Usually yes, but not always. Passwords are easier to crack than encryption because passwords are made up of a
series of letters and/or numbers. Password cracking software uses the parameters it is given to basically try
every possible combination of letters and/or number until it finds the combination that matches the password.
This can take anywhere from a few minutes to many weeks depending on how sophisticated the password.
Encryption is a whole different matter. A piece of data is translated into a form that is meaningless to an
unauthorized person. Without the proper key (a specific unique series of characters) and the specific cryptographic
algorithm used to encrypt and decrypt, the content of the encrypted data may be difficult or even impossible to
crack.
Return to Top of Page
Electronic evidence is any computer-generated data that is relevant to a case. Included are email, text documents,
spreadsheets, images, database files, deleted email and files and back-ups. The data may be on floppy disk, zip
disk, hard drive, tape, CD or DVD, cell phones, and PDA's.
Return to Top of Page
Electronic discovery, often referred to as E-Discovery or EDD, is the collection, preparation, review and
distribution of electronic documents associated with legal and government proceedings. A wide variety of sources
are fair target for discovery requests, such as files which resides on laptop computers, office PCs, network servers,
floppy discs, CDs, tape backups, other archive media, and third-party storage and archival systems.
Electronic discovery involves the following steps:
- Identify likely sources.
- Gather electronic evidence avoiding spoliation and maintaining the chain-of-custody.
- Make the collected data readable and useable.
- Filter the data to achieve a relevant, manageable collection of information.
- Make the information available in TIFF, PDF, or native file format.
Return to Top of Page
Why is electronic discovery important?
The production of documents in electronic form provides lawyers with a wealth of information that is crucial for
complete discovery and disclosure. Electronic discovery provides visibility into the content of email and associated
attachments, documents, spreadsheets and presentations. It reveals hidden information such as formulas, links,
graphic images and email routing metadata that does not appear on printed pages.
Return to Top of Page
Federal Rule of Civil Procedure 26(a)(1) requires disclosure of documents, data compilations and other tangible
things that the parties may use to support their claims, defenses or damages computations.
Although FRCR 26(a)(1) requirements are seemingly straight forward, the process of identifying and locating
responsive documents and data has become more complex as people and companies continue to shift their information
transmission and storage functions from paper to electronic media.
As a result, attorneys must now frequently call on electronic discovery and computer forensic experts to assist in
the preservation of electronic information at the outset of litigation, as well as in the gathering of documents
responsive to Rule 26(a)(1) and other discovery requests.
Return to Top of Page
Yes. Documents in electronic form are far more discovery-friendly, can be searched by using keywords and contain
additional information about when the document was created, modified and accessed. Electronic documents also are
significantly less expensive to duplicate than paper and can be shared over the Internet. Other
advantages include the ability to lock documents to protect them from alteration, and the ability to authenticate
a documents identity using a digital signature.
Return to Top of Page
- It allows you to be more competitive in securing new client business by utilizing the most effective electronic discovery methods and services.
- Electronic discovery enables you to be more competitive with opposing counsel by having better information and visibility into your clients' electronic documents.
- It gives you better control over the discovery process, ensuring that your litigation support team is finding the right information without missing deadlines.
- It makes the review and evaluation of electronic information easier, thus increasing your ability to review and assess relevant case information within discovery time limits.
- Electronic discovery gives you more accurate assessments of your clients' exposure.
- Electronic discovery may reveal hidden information that would not otherwise be seen in printed form.
Return to Top of Page
What benefits does electronic discovery provide for corporate counsel?
- It helps corporate counsel gain better control over legal expenditures related to discovery, which results in better utilization of your financial resources.
- Electronic discovery gives you complete and unbiased access to information, helping to avoid surprises about what information exists within your company's electronic files.
- It allows clear understanding of the level of legal risk in order to make informed business decisions about resolving legal matters.
- Electronic discovery helps to understand and gauge the company's legal exposure. Having visibility into the company's level of legal exposure is important to the management team, insurance company, risk management and corporate compliance departments, board of directors and shareholders.
Return to Top of Page
What is "Spoliation"?
Spoliation is the intentional or negligent destruction or alteration of evidence when there is either a current
litigation, an investigation, or if there is a reasonable chance either may occur in the near future. Some
jurisdictions also define it as the failure to preserve information that may become evidence. Spoliation penalties
may range from financial sanctions to potential jail time if criminal provisions are violated. Failure to preserve
data that may become evidence is also spoliation in some jurisdictions.
Return to Top of Page
Metadata is often described as "data about the data". It includes information such as creation dates, modified
dates, last accessed dates, authors, source locations, and email routing information that generally do not appear
on the printed page. The electronic discovery process is the best method to access such metadata, which can contain
vital information about the custody and exposure to specific electronic documents.
Return to Top of Page